Security settings in the Appliance
Security settings in the Appliance
The Appliance uses standard mechanisms for authentication and security:
- Connections to the CLI of the Appliance are established through OpenSSH, which is the SSH implementation installed in the operating system of the Appliance.
- Connections to the Portal are managed by the security layer of the underlying Java implementation.
- Connections to the Web Console and the Web API of the Engine are encrypted and authenticated with TLS.
Starting from V6.17, the Appliance hardening ensures that the ciphers and algorithms negotiated by the security protocols in the Appliance are currently considered strong (with the exception of the Web Console, which still admits TLS 1.0 connections by default).
Legacy browsers still in use within your organization may require though the use of protocols, ciphers and algorithms that are no longer considered secure. Nexthink recommends that you update your software so that it implements the latest security mechanisms. Nevertheless, in case that you cannot easily replace your legacy browsers, find below how to configure the Portal and the Engine to support security protocols that are not strong enough to be enabled by default.
Portal secure protocols and ciphers
By default, the Portal supports TLS 1.1 and TLS 1.2 as security protocols. Most modern browsers and operating systems are able to use these protocols to secure their communications over the Internet. Associated to these protocols, the Portal also supports a default set of cipher suites (considered strong) to negotiate the security settings of a connection.
However, users of Internet Explorer in either Windows Vista or Windows XP, for instance, are limited to TLS 1.0. Therefore, if you want the Portal to support TLS 1.0, you must add it to the list of supported protocols in the configuration file of Nginx, the reverse proxy component of the Portal that handles the connections.
To change the supported protocols and cipher suites:
- Log in to the CLI of the Appliance hosting the Portal.
- Edit the SSL configuration file of Nginx:
sudo vi /var/nexthink/nxnginx/conf.d/ssl.conf.overrides
- Type in the names of the supported protocols and cipher suites in the entries:
- Save the file and exit by typing:
- Restart the Portal:
sudo systemctl restart nxportal
For instance, these are the protocols and cipher suites supported by default:
ssl_protocols = TLSv1.1 TLSv1.2; ssl_ciphers = "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
To support the protocol TLS 1.0 in addition to the default protocols TLS 1.1 and TLS 1.2, substitute the entry of included protocols for:
ssl_protocols = TLSv1, TLSv1.1 TLSv1.2;
Specify the names of supported ciphers in the format understood by the OpenSSL library. See the full list of supported ciphers with the command:
Engine secure protocols and ciphers
To secure the communications through the Web API, the Engine supports by default both TLS 1.1 or TLS 1.2 and a set of ciphers considered strong. These security settings are also valid for the query interface with the Finder and the Portal, as well as for the LDAP and the Application Library clients.
The security settings are configurable in the ssl section of the configuration file /var/nexthink/engine/01/etc/nxengine.xml. If they are not specified, their configuration is equivalent to the following values:
<config> <engine> ... <ssl> <ciphers>ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES128-SHA,DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-SHA,DHE-RSA-AES128-SHA, AES256-SHA,AES128-SHA</ciphers> <protocols>tlsv1.1,tlsv1.2</protocols> </ssl> ... </engine> </config>
To configure a different set of supported ciphers and protocols, modify each element in the ssl section:
- List of ciphers supported by the Engine. Specify the names of the ciphers in the format accepted by openssl. Separate each supported cipher either by a colon ':' or a comma ',' delimiter. To see the list of all the available ciphers that you can choose from, log in to the CLI of the Engine and type:
- List of supported protocols, separated by comma ',' delimiters.
For instance, to support old browsers, enable protocols SSL 3.0 and TLS 1.0:
Note that there is no need to modify the ciphers, since these protocols can use AES256-SHA and AES128-SHA, which are allowed by default.
Web Console secure protocol and ciphers
Contrary to the previous two cases of the Portal and the Engine, the Web Console still admits clients to connect through TLS 1.0 by default. Legacy browsers can therefore connect to the Web Console without modification. To ensure instead that the Web Console does not negotiate unsecure protocols, disable them from its configuration file.
To disable both TLS 1.0 and TLS 1.1, and exclusively use TLS 1.2 in the Web Console:
- Log in to the CLI of the Appliance that hosts the Web Console.
- Edit the configuration file of the web server that provides the communication to the Web Console:
sudo vi /var/nexthink/console/etc/lighttpd.conf
- Locate in the file the line that holds the list of ciphers, starting with:
- Replace it with the following lines:
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff")
- Save your changes and exit by typing:
- Restart the Web Console:
sudo systemctl restart nxconsole